NASA Still Has Not Encrypted All Laptops
Testimony by Paul Martin NASA Inspector General
“Following the October 31 theft, the NASA Administrator accelerated the timetable to encrypt the hard drives of the Agency’s laptop computers. As of February 15, NASA reported that it had encrypted 99.4 percent of Agency laptops identified as requiring encryption, had exempted 1,636 laptops from the requirement, and was determining whether another 2,947 laptops required encryption or also would be exempted.”
DATA AT REST (DAR) Deployment @ HQ
“As mandated by Federal law and Agency policy, all NASA-issued laptops, as well as desktops with sensitive data, must have Data-At-Rest (DAR) whole-disk encryption software. The NASA OCIO directed that all Centers complete this activity by December 21, 2012.”
– Did NASA Meet Its 21 Dec 2012 DAR Deadline?, earlier post
– OIG Doubts NASA Can Meet Laptop DAR Deadline, earlier post
– Additional posts
From the article: Our investigation of a series of APT attacks at the Jet Propulsion
Laboratory (JPL) involving Chinese-based Internet protocol addresses
between November 2011 and February 2012 confirmed that cyber attackers
were successful in achieving control over much of JPL’s network for
several weeks and used this access to steal or attempt to steal
NASA-funded data. While data theft appears to be the primary motive, the
level of access gained by the intruders positioned them to have caused
significant operational disruption had that been their goal.
Amazing.
And NASA is still dragging its feet on security.
“involving Chinese-based Internet protocol addresses“
This is a rash statement as is, considering that any 12-year-old can download free software to mask or misrepresent their IP address. The attack could have come from anywhere on the planet. Of course, snubbing the Chinese seems to be popular in some circles these days.
It’s not that NASA is dragging its feet on security, it’s that each foot is chained to a giant medicine ball and making it impossible to do anything but.
On the left foot are ‘I3P and giant contracts who argue over every security move and try to charge NASA extra for every patch’ and on the other foot are ‘Trying to achieve DOD-level security on a huge amount of systems that don’t require it, while spreading the budget so thin that nothing else can get done at all’.
There’d be plenty of money for actual security if it weren’t all being wasted on FISMA compliance, paperwork exercises, and overpaying giant contracts for minor differences in opinion over what the contract covers.
Why is it that NASA’s subcontractors are able to adequately budget and manage their IT services and subcontracts, but all NASA seems able to do is shoot themselves in the foot?
When one group is failing while others are succeeding, it’s reasonable to blame the failing group.
What leads you to the conclusion that “NASA’s subcontractors are able to adequately budget and manage their IT services and subcontracts”? I would like to see the data corroborating your assertion.
When I write “NASA’s subcontractors”, I mean companies like Boeing, LM, and so on.
As far as I know, none of them have had major security breaches like NASA.
You said “none of [the contractors] have had major security breaches like NASA.”
You mean, no security breeches like this one?
“Aircraft giant Boeing Co. said that a company-owned laptop containing
the personally identifiable information of nearly 400,000 of its
employees and former workers was stolen recently.”
http://searchsecurity.techt…
Or like this one?
Lockheed Martin Network Suffers Security Breach – http://online.wsj.com/artic…
Or these ones? http://www.privacyrights.or…
In reply to Geoffrey Landis (see below):
The Boeing article was from 2006. That’s stale information. We’ve gotten a lot smarter about encrypting laptops since then.
The LM breach was only a rumor based on some duplicate RSA tokens being discovered. There was no evidence that any information was compromised.
Sorry, but LockMart has had breaches. Because of the sensitivity of some of their work, they don’t talk about it much.
I don’t think your assertion (NASA’s subcontractors are able to adequately budget and manage their IT services) is actually true.
For the most part, NASA’s subcontractors ARE providing the IT services – and they’re neither adequately budgeted nor successful.
For what it’s worth, I was told last week that our local sys admins had run into instances when the NASA-mandated DAR encryption application failed during initial disk encryption, leaving a user’s disk at least partly encrypted and wholly unresponsive to attempts to back out and start again. Evidently, there is a $299 commercially available tool to unlock/decrypt drives encrypted with the application, and they’d like to purchase it for such cases.
If our sys admins know about that $299 product, do you think the bad guys do?
We’ve also lost at least one hard drive to the DAR script, which BTW takes over your computer when it wants to and gives the user NO opportunity to back up work.
There was _one_ case of laptop theft with no indication the thief even bothered to access the disk before formatting it, so we are required to install DAR. Separate appointment with admin for every user for every laptop since the particular implementation of DAR cannot use domain authentication, and DAR passwords must be managed separately from domain and Launchpad passwords. Suppose your group of seven shares five laptops? Wait a minute, there is a rumor that the PII was also on paper in the laptop case. How will DAR prevent that? Common sense would prevent it, but common sense would have led to using the already available software for encrypting sensitive files.
Every known theft of data has been from one of thousands of network attacks, for which DAR provides no protection whatever. The details of these intrusions haven’t even been provided to ordinary users so we can guard against them. We have no idea if the real problem is exploits of the OS, which of course is the responsibility of management. Good luck if you want to run Linux on the network, your computer won’t be covered by the security plan. Meanwhile we are required to change 12-character passwords every two months because IT management is living back in the 70’s and is convinced the hackers still have access to /etc/passwd on the server and can crack any password, but only after 61 days of computing.
there was more than _one_ laptop theft, and multiple centers have had laptops stolen.